Organizations of all sizes struggle to protect their endpoints from a constant barrage of cyber attacks like malware. Traditional defense mechanisms like anti-malware solutions may employ a blacklisting strategy where every executable (also referred to herein as “application”) is allowed execution privilege except for some well-known malicious executables. However, such blacklisting strategies are not effective as new forms of malware emerge frequently, thus making it hard for system administrators to identify and combat these threats before it is too late. In summary, blacklisting based approaches simply cannot keep pace with the sheer volume of malware that newly emerge.
An alternative approach known as whitelisting, where only well-known applications are given execution privileges, has been gaining momentum. The main challenge with adopting a whitelisting strategy is that as new applications emerge, many of their runtime behavior remain unknown. Before such unknown applications, which are referred to as “gray” applications, can be added to the whitelist, their runtime behavior needs to be first examined and classified as being safe by the system administrator. However, as the number of gray applications continue to increase with the rapid development of new applications, it is difficult for the system administrator to keep pace.